@Test
public void testUGIAuthMethodInRealUser() throws Exception {
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser("proxy", ugi);
final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
ugi.setAuthenticationMethod(am);
Assert.assertEquals(am, ugi.getAuthenticationMethod());
Assert.assertEquals(AuthenticationMethod.PROXY, proxyUgi.getAuthenticationMethod());
proxyUgi.doAs(
new PrivilegedExceptionAction<Object>() {
public Object run() throws IOException {
Assert.assertEquals(
AuthenticationMethod.PROXY,
UserGroupInformation.getCurrentUser().getAuthenticationMethod());
Assert.assertEquals(
am, UserGroupInformation.getCurrentUser().getRealUser().getAuthenticationMethod());
return null;
}
});
UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi.getSubject());
proxyUgi2.setAuthenticationMethod(AuthenticationMethod.PROXY);
Assert.assertEquals(proxyUgi, proxyUgi2);
// Equality should work if authMethod is null
UserGroupInformation realugi = UserGroupInformation.getCurrentUser();
UserGroupInformation proxyUgi3 = UserGroupInformation.createProxyUser("proxyAnother", realugi);
UserGroupInformation proxyUgi4 = new UserGroupInformation(proxyUgi3.getSubject());
Assert.assertEquals(proxyUgi3, proxyUgi4);
}
private void checkUgiFromToken(UserGroupInformation ugi) {
if (ugi.getRealUser() != null) {
Assert.assertEquals(AuthenticationMethod.PROXY, ugi.getAuthenticationMethod());
Assert.assertEquals(AuthenticationMethod.TOKEN, ugi.getRealUser().getAuthenticationMethod());
} else {
Assert.assertEquals(AuthenticationMethod.TOKEN, ugi.getAuthenticationMethod());
}
}
/**
* @param ugi A user group information.
* @return true if delegation token operation is allowed
*/
private boolean isAllowedDelegationTokenOp(UserGroupInformation ugi) throws IOException {
AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
if (authMethod == AuthenticationMethod.PROXY) {
authMethod = ugi.getRealUser().getAuthenticationMethod();
}
if (authMethod != AuthenticationMethod.KERBEROS
&& authMethod != AuthenticationMethod.KERBEROS_SSL
&& authMethod != AuthenticationMethod.CERTIFICATE) {
return false;
}
return true;
}
@Test
public void testUGIAuthMethod() throws Exception {
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
ugi.setAuthenticationMethod(am);
Assert.assertEquals(am, ugi.getAuthenticationMethod());
ugi.doAs(
new PrivilegedExceptionAction<Object>() {
public Object run() throws IOException {
Assert.assertEquals(
am, UserGroupInformation.getCurrentUser().getAuthenticationMethod());
return null;
}
});
}
@Override
public void getAuthenticationToken(
RpcController controller,
AuthenticationProtos.GetAuthenticationTokenRequest request,
RpcCallback<AuthenticationProtos.GetAuthenticationTokenResponse> done) {
AuthenticationProtos.GetAuthenticationTokenResponse.Builder response =
AuthenticationProtos.GetAuthenticationTokenResponse.newBuilder();
try {
if (secretManager == null) {
throw new IOException("No secret manager configured for token authentication");
}
User currentUser = RequestContext.getRequestUser();
UserGroupInformation ugi = null;
if (currentUser != null) {
ugi = currentUser.getUGI();
}
if (currentUser == null) {
throw new AccessDeniedException("No authenticated user for request!");
} else if (!isAllowedDelegationTokenOp(ugi)) {
LOG.warn(
"Token generation denied for user="******", authMethod="
+ ugi.getAuthenticationMethod());
throw new AccessDeniedException(
"Token generation only allowed for Kerberos authenticated clients");
}
Token<AuthenticationTokenIdentifier> token =
secretManager.generateToken(currentUser.getName());
response.setToken(ProtobufUtil.toToken(token)).build();
} catch (IOException ioe) {
ResponseConverter.setControllerException(controller, ioe);
}
done.run(response.build());
}
private void validateHadoopFS(List<ConfigIssue> issues) {
boolean validHapoopFsUri = true;
hadoopConf = getHadoopConfiguration(issues);
String hdfsUriInConf;
if (hdfsUri != null && !hdfsUri.isEmpty()) {
hadoopConf.set(CommonConfigurationKeys.FS_DEFAULT_NAME_KEY, hdfsUri);
} else {
hdfsUriInConf = hadoopConf.get(CommonConfigurationKeys.FS_DEFAULT_NAME_KEY);
if (hdfsUriInConf == null) {
issues.add(
getContext().createConfigIssue(Groups.HADOOP_FS.name(), "hdfsUri", Errors.HADOOPFS_19));
return;
} else {
hdfsUri = hdfsUriInConf;
}
}
if (hdfsUri.contains("://")) {
try {
URI uri = new URI(hdfsUri);
if (!"hdfs".equals(uri.getScheme())) {
issues.add(
getContext()
.createConfigIssue(
Groups.HADOOP_FS.name(),
"hdfsUri",
Errors.HADOOPFS_12,
hdfsUri,
uri.getScheme()));
validHapoopFsUri = false;
} else if (uri.getAuthority() == null) {
issues.add(
getContext()
.createConfigIssue(
Groups.HADOOP_FS.name(), "hdfsUri", Errors.HADOOPFS_13, hdfsUri));
validHapoopFsUri = false;
}
} catch (Exception ex) {
issues.add(
getContext()
.createConfigIssue(
Groups.HADOOP_FS.name(),
"hdfsUri",
Errors.HADOOPFS_22,
hdfsUri,
ex.getMessage(),
ex));
validHapoopFsUri = false;
}
} else {
issues.add(
getContext()
.createConfigIssue(Groups.HADOOP_FS.name(), "hdfsUri", Errors.HADOOPFS_02, hdfsUri));
validHapoopFsUri = false;
}
StringBuilder logMessage = new StringBuilder();
try {
// forcing UGI to initialize with the security settings from the stage
UserGroupInformation.setConfiguration(hadoopConf);
Subject subject = Subject.getSubject(AccessController.getContext());
if (UserGroupInformation.isSecurityEnabled()) {
loginUgi = UserGroupInformation.getUGIFromSubject(subject);
} else {
UserGroupInformation.loginUserFromSubject(subject);
loginUgi = UserGroupInformation.getLoginUser();
}
LOG.info(
"Subject = {}, Principals = {}, Login UGI = {}",
subject,
subject == null ? "null" : subject.getPrincipals(),
loginUgi);
if (hdfsKerberos) {
logMessage.append("Using Kerberos");
if (loginUgi.getAuthenticationMethod()
!= UserGroupInformation.AuthenticationMethod.KERBEROS) {
issues.add(
getContext()
.createConfigIssue(
Groups.HADOOP_FS.name(),
"hdfsKerberos",
Errors.HADOOPFS_00,
loginUgi.getAuthenticationMethod(),
UserGroupInformation.AuthenticationMethod.KERBEROS));
}
} else {
logMessage.append("Using Simple");
hadoopConf.set(
CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
UserGroupInformation.AuthenticationMethod.SIMPLE.name());
}
if (validHapoopFsUri) {
getUGI()
.doAs(
new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (FileSystem fs = getFileSystemForInitDestroy()) { // to trigger the close
}
return null;
}
});
}
} catch (Exception ex) {
LOG.info("Error connecting to FileSystem: " + ex, ex);
issues.add(
getContext()
.createConfigIssue(
Groups.HADOOP_FS.name(),
null,
Errors.HADOOPFS_11,
hdfsUri,
String.valueOf(ex),
ex));
}
LOG.info("Authentication Config: " + logMessage);
}
public static URLConnectionClientHandler getClientConnectionHandler(
DefaultClientConfig config,
PropertiesConfiguration clientConfig,
final String doAsUser,
final UserGroupInformation ugi) {
config
.getProperties()
.put(URLConnectionClientHandler.PROPERTY_HTTP_URL_CONNECTION_SET_METHOD_WORKAROUND, true);
Configuration conf = new Configuration();
conf.addResource(conf.get(SSLFactory.SSL_CLIENT_CONF_KEY, "ssl-client.xml"));
UserGroupInformation.setConfiguration(conf);
final ConnectionConfigurator connConfigurator = newConnConfigurator(conf);
String authType = "simple";
if (clientConfig != null) {
authType = clientConfig.getString("atlas.http.authentication.type", "simple");
}
Authenticator authenticator = new PseudoDelegationTokenAuthenticator();
if (!authType.equals("simple")) {
authenticator = new KerberosDelegationTokenAuthenticator();
}
authenticator.setConnectionConfigurator(connConfigurator);
final DelegationTokenAuthenticator finalAuthenticator =
(DelegationTokenAuthenticator) authenticator;
final DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token();
HttpURLConnectionFactory httpURLConnectionFactory = null;
try {
UserGroupInformation ugiToUse = ugi != null ? ugi : UserGroupInformation.getCurrentUser();
final UserGroupInformation actualUgi =
(ugiToUse.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY)
? ugiToUse.getRealUser()
: ugiToUse;
LOG.info(
"Real User: {}, is from ticket cache? {}", actualUgi, actualUgi.isLoginTicketBased());
LOG.info("doAsUser: {}", doAsUser);
httpURLConnectionFactory =
new HttpURLConnectionFactory() {
@Override
public HttpURLConnection getHttpURLConnection(final URL url) throws IOException {
try {
return actualUgi.doAs(
new PrivilegedExceptionAction<HttpURLConnection>() {
@Override
public HttpURLConnection run() throws Exception {
try {
return new DelegationTokenAuthenticatedURL(
finalAuthenticator, connConfigurator)
.openConnection(url, token, doAsUser);
} catch (Exception e) {
throw new IOException(e);
}
}
});
} catch (Exception e) {
if (e instanceof IOException) {
throw (IOException) e;
} else {
throw new IOException(e);
}
}
}
};
} catch (IOException e) {
LOG.warn("Error obtaining user", e);
}
return new URLConnectionClientHandler(httpURLConnectionFactory);
}
